CryptoLocker

What is CryptoLocker?

CryptoLocker is a new malicious program classified as “ransomware” which, once running on your computer, actually encrypts your documents, pictures, and data so that you cannot access any of it – and then displays a message saying that it will decrypt your data for you if you pay US$300 within 2 or 3 days, otherwise it will make it impossible to ever access your data again.

The encryption is “strong”, that is, it cannot be beaten. If your files get encrypted, there is no way of decrypting them without having the unique “private key” that the CryptoLocker programmers hold. They say that if you don’t pay the US$300 within their allocated time, they will delete the private key – making decryption impossible.

How could CryptoLocker get onto my PC?

CryptoLocker doesn’t spread from one PC to another like a virus, strictly, it isn’t a virus at all. It could arrive on your PC by email – as an attachment to an email. Typically the email will have a generic subject like “Authorization to use privately owned vehicle for business” which pretends to be from someone within your company (so if your email address was john.smith@digitalred.com, the email could pretend to be from human.resources@digitalred.com) and the email message will tell you that you need to open the attached PDF.

There’s not likely to be a PDF attached, rather, a .zip file which contains a program – though to try and fool you, the program will be called something like authorisationform.pdf.exe and it’ll have an icon that looks like a PDF file. It is, in fact, a program (it ends in .exe) – though by default, Windows doesn’t show the file extension of filetypes it recognises – so you might just see the name as authorisationform.pdf

By having received the email, you are not infected. You’d only be infected if you opened the attachment and ran the program. You should, of course, NEVER open an attachment that did not arrive from someone you trust and that you were not expecting. It is not safe to assume that an unexpected attachment from someone you know is safe to open – it’s easy for a virus to send itself to everyone in someone’s address book.

Once you’ve opened an attachment like the one described, you probably won’t see anything. The malicious program will run in the background for a couple of days, keeping its head down.

I have antivirus software on my PC, so I’m protected against stuff like this

Not necessarily. Antivirus programs can only protect you against threats they know about. They can only know about them after they have been identified, protected against by the antivirus program’s developers, AND your PC downloads the updated protection files so that it knows to look out for something.

15 years ago you could subscribe to an antivirus program for a year and get just quarterly updates on floppy disc. The turnaround time between detection and protection could be 3 months! Today, your antivirus program will download updates every day, perhaps twice a day, but that still leaves a period of 12 hours between updates: that’s a long time when a developer could create a new virus and send it by email to millions of people within a couple of minutes.

The email you received at 09:05 this morning could have contained a virus which was only created at 09:01 today: the email would pass through the mailserver’s antivirus scan, and then through your own PC’s antivirus scan, and the malicious attachment wouldn’t be detected until 22:00 tonight. If that was the case, your PC could be doing all kinds of stuff all day and you’d never know!

What can I do to protect myself?

The easy answer is as above – NEVER open an attachment that did not arrive from someone you trust and that you were not expecting. It is not safe to assume that an unexpected attachment from someone you know is safe to open.

You should especially never open a .zip attachment and open whatever is inside it, unless you REALLY REALLY expected to receive the file. Zip files are not themselves dangerous, they are just compressed files after all, but as mailservers have rejected .exe files being attached to email for years and always allowed .zip files, malicious people are now just putting .exe files inside .zip files

It’s obvious really – if you get an email pretending to be from HMRC, or UPS, or a bank, or Microsoft, or a hotel booking confirmation that you didn’t make, or an Amazon transaction you didn’t make, chances are it’s going to be rubbish. Even more so when your name doesn’t appear in the email, and there’s nothing specific in the message at all. The emails are like horoscopes – they sound so vague that they could apply to anyone. It’s less a technical trick, more social engineering.

What should I be doing to stay safe?

There are a few things you can do, and you should already be doing most of them. If I’ve worked on your PC in the past, I’ve probably at least told you most of this if not already done most of this for you already.

Keep your PC up to date – that is with an antivirus program, keep Adobe Reader and Adobe Flash up to date, don’t have Java installed unless you really need it, make sure that Windows Update runs regularly and install all of the important/recommended updates.

Stop using Windows XP – you shouldn’t really be using it now, you absolutely shouldn’t be using it after the end of March next year (2014)

Only ever run your computer using a ‘standard’ user and not an ‘administrator’ user

Never open attachments from emails that you were not specifically expecting

Is there anything that can protect against CryptoLocker specifically?

The CryptoLocker program runs on your computer in a specific temporary folder. You can block programs from running in that temporary folder, therefore preventing CryptoLocker from being able to run.

There are details on how to make this change manually on the Bleeping Computer website, or you can make the changes automatically if you download this application and run it on your PC. You’ll need to reboot once it has run for the changes to take effect.

What should I do if I’m infected?

There are resources available on the Bleeping Computer website that explain, the details are always changing so rather than repeat out of date information here, I suggest you read the Bleeping Computer page. It’s here.

Can Digital Red decrypt my files for me if I get infected?

No. Nobody can. If you get infected, and an antivirus program removes the infection after your files are encrypted, your files will stay encrypted. You can’t decrypt them without having the “private key”, and you can’t get that key without paying the US$300 ransom.

What about my encrypted files?

Read the Bleeping Computer guide or phone for advice, but your best hope is your backup. You really should have a backup. Windows may have created a copy of your files for you, which you may be able to access via the ‘Previous Versions’ feature or via System Restore, but you should not rely on that at all.

Remote Support

Telephone Support

Telephone number 020 3411 4445 (UK) +44 20 3411 4445 (Int’l)

Hours of business Open 9am – 5.30pm UK time, mobile number available for out of hours tech support.

About Digital Red

Digital Red provides small businesses, home workers and individuals with friendly and professional technical support on all aspects of IT and PC use. Digital Red is based north west of London in Ruislip.